A business model GDPR strives to change to empower consumers and Experian’s unreasonable resistance to maintain it.
Data broker firms like Experian collect mass amounts of personal data such as credit information, health data, and sensitive details and then sell or license them for profit, usually without the knowledge of individuals because they do not directly do business with individuals, rather collect data from third parties.
Covert data processing activities by data broker firms for profit is the opposite of what GDPR wanted to achieve: Changing the balance of power between individuals and businesses by enhancing individual control over personal data. Individuals cannot exercise control without accessing detailed and relevant information about how their data is collected, used, and shared.
This lack of transparency in the data brokering business was one of the major GDPR violations found in the recent Experian decision by the UK’s ICO.
ICO issued an enforcement notice to Experian for its processing of personal data for offline direct marketing purposes because of unlawful processing and lack of transparency under the EU’s General Data Protection Regulation.
In this article, we will analyze how the ICO’s Experian notice addresses the transparency requirement under GDPR and what lessons are to be learned for GDPR transparency.
Experian is a credit rating agency that also operates a data brokering business. As a Credit Reference Agency (CRA), Experian is authorized by law to receive and compile credit information on individuals and draft credit reports and determine credit scores based on this data. These reports and credit scores give insight into the financial situation of individuals and used by lenders.
Experian also runs a separate data brokering business: Alongside financial information, it collects personal data such as names, addresses, and purchases from various sources such as third-party businesses and other brokers.
Via this massive collection of data, Experian is capable of constructing highly detailed and accurate consumer profiles to be used for marketing or other purposes.
While the ICO’s investigation involved multiple CRAs, only Experian, which says it will challenge the decision, was singled out for enforcement action.
The ICO provided 6 key violations:
Privacy information provided some details about data brokerage operations. However, it was not clear enough because it did not address how data was collected, used, or sold.
Experian did collect personal data from third-party sources and not directly from individuals themselves so there were no direct channels to communicate.
Experian argued that it did not have to provide privacy information to individuals because there are millions of people to reach out to and it is exempt from this obligation under Article 14’s “disproportionate effort” exemption. The ICO, however, refused this interpretation on the basis that:
Very large numbers of individuals cannot be the deciding factor against it being proportional to notify people about the processing in these circumstances. Otherwise, this would give controllers a perverse incentive to gather as much data as possible in order to reduce the burden on them to notify people.
This section is noteworthy because it blocks Experian from relying on its business model of collecting as much data as possible to escape from its obligation to inform individuals. ICO’s interpretation prioritizes the ‘right to information’ over Experian’s scale-based business model and ensures that transparency principle is ensured.
Consumers cannot object to sharing their data with Experian for credit reference purposes if they want to receive lending from lenders.
However, personal data collected for credit reference purposes was also provided to third parties for offline direct marketing purposes. This was non-compliant with GDPR consumer rights as:
Equifax, another CRA which was subject to the investigation alongside Experian, collected data from third-party brokers and relied on the consent that these third-party brokers obtained from individuals. ICO found that consent was not specific enough to render processing lawful.
CRAs relied on legitimate interests to justify the use of data for direct marketing services. Legitimate interests require conducting a Legitimate Interest Assessment (LIA).
In this assessment, CRAs failed to take into account that they were processing data in a highly privacy-intrusive way because it amounted to profiling. Furthermore, the lack of transparency weighed against Experian.
In certain instances, Experian collected data from third parties based on the consent of individuals. However, Experian then processed this data by relying on its legitimate interests. ICO found that it is not possible to switch the lawful basis.
When individuals expressed consent, they were not informed about Experian’s processing activities so the original consent was not specific enough to render Experian’s processing activity lawful.
Few characteristics of the data brokering industry make transparency a key consideration:
Data brokering firms such as Experian do not obtain data from individuals directly, but rather collect it from third parties and public sources. They then analyze, trade, and exchange these data with each other and third parties. Circulation of data and use of it in a variety and sometimes in privacy-intrusive ways increases lack of transparency.
For example, a data broker called USData has aggregated sensitive personal data such as gender, sexuality, and lifestyles of around 5 million people from the online dating app Plenty of Fish. USData then sells this data to third parties. A Spanish researcher has reported that she could purchase 1 million profiles for €136.
Unlike large consumer-facing tech platforms such as Facebook, Google, and Spotify, data brokering firms like Experian are often overlooked by consumers as they are not involved in a direct relationship and they are not household names. While the majority of consumers express worry about the likes of Facebook and go through their privacy policies, they are unlikely to have heard of data brokering firms like Experian.
According to Pew Research, for instance, 48% of Americans report feeling a complete lack of control over the privacy of their searches and 35% feel the same for social media apps. However, same level of worry doesn’t exist for data brokers.
According to ICO, Experian’s use of data should have been addressed in the first layer because it amounted to the processing of data in an unexpected way yet failed to do so.
Consumers are constantly bombarded with information and come across so many privacy notices on a daily basis. It is unreasonable to expect that a consumer would be searching through a privacy notice to find out about the use of their data for direct marketing purposes.
ICO’s approach aligns with consumer behavior and requires a data controller to take more active steps to make the information visible to consumers.
The takeaway would be: The more unexpected a data processing activity is, the more prominent it should be in the privacy notice to ensure transparency.
Organizations processing personal data must rely on lawful bases and ‘legitimate interests’ is one of the six bases defined in Article 6 of GDPR.
In some instances, Experian collected data from third parties on the basis that individuals gave consent to the relevant third parties. However, once Experian obtained this data, it switched to relying on legitimate interests to process data for direct marketing purposes.
Transparency of processing should be factored into the legitimate interest assessment. Since the processing was not transparent, this favors the balance test heavily against Experian.
Experian collects and exchanges sensitive financial data which puts consumers at risk of being profiled and being adversely affected.
Another character of Experian’s business is that consumers do not have the choice of rejecting sharing their data with CRAs like Experian as it is authorized by law to collect such data.
Considering these factors, Experian should be subject to higher level of transparency requirements.
Experian used the data it collected for credit reference purposes also for direct marketing purposes. For example, individuals are categorized based on their financial standing and marketers decide whether to send marketing materials to individuals on this basis.
If an individual is categorized as ‘unlikely to afford product/service’, for instance, she/he was disqualified from receiving any promotional materials.
Examples for categorizations include “ bank of mom and dad”, “Asian heritage” and “uptown elite”.
ICO ruled that Experian’s Privacy Notice’s brief reference to the use of data for direct marketing purposes lacked details to render it understandable to consumers.
Experian has profiled individuals, which is highly intrusive, and made a profit by selling these profiles to marketers. The failure to explain the adverse effects to individuals violates transparency.
Transparency is the foundation that will enable individuals to exert control over the use and collection of their data by making informed decisions. Here are the main lessons for businesses in terms of ICO’s take on the transparency principle:
Individuals largely interact with first-party service providers and share their data with them, including banks, retailers, and utility providers. Even if these first parties give information about sharing data with data brokers and provide a link to brokers’ privacy information, this is not enough to satisfy transparency requirements.
Data broker’s privacy information should explain where data comes from, who they share it with, and what specific processing activities occur in sufficient detail.
Vague phrases such as ‘we may process your data for direct marketing purposes’ is not clear enough. Brokers should also specify who would use data for direct marketing and how.
Furthermore, you should display the most unanticipated data processing activities in the first layer in the privacy notice. The more privacy-intrusive and unexpected the data processing is the more responsibility to inform the individuals to comply with transparency requirements.
Transparent processing of personal data ensures that individuals have a clear understanding of what data is collected, who stores it, purposes for processing, and what specific processing occurs.
This knowledge is a prerequisite for the exercise of data subject rights enshrined in GDPR such as the right of access, right to object, right to delete data, and right to rectification.
As ICO put it:
Failure to ensure transparency prevents individuals from exercising control over their data because access to information is the first step to making a decision such as asking for deletion of data.
It may be clear from the wording of GDPR article 6 that transparency is essential for valid consent because consent must be ‘informed’ and ‘specific’.
Contrary to consent, legitimate interests ground provides more flexibility to businesses and is widely used to justify data processing.
In legitimate interests, the interests of a business must be balanced against the rights, freedoms, and interests of individuals. In this regard, ICO explicitly set forth that lack of transparency weighs against justifying reliance on legitimate interests.
Inclusion of ‘transparency’ in the ‘legitimate interests assessment’ prevents reliance on legitimate interests to escape the consent’s requirement to be informed: Informing individuals cannot be eliminated.
If individuals are to exercise the control over their data that the privacy laws such as GDPR designates, transparency is a prerequisite for them to exercise their rights and take action.
GDPR was enacted for the likes of Experian to change their business practices and achieve transparent processing of personal data. Experian’s resistance to comply with transparency requirements is alarming.